You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2013-62

Mozilla Foundation Security Advisory 2013-62

Title: Inaccessible updater can lead to local privilege escalation
Impact: High
Announced: June 25, 2013
Reporter: Seb Patane
Products: Firefox

Fixed in: Firefox 22.0

Description

Security researcher Seb Patane reported an issue with the Mozilla Maintenance Service on Windows. He discovered that when the Mozilla Updater executable was inaccessible, the Maintenance Service will behave incorrectly and can be made to use an updater at an arbitrary location. This updater will run with the system privileges used by the Maintenance Service, allowing for local privilege escalation. Local file system access is necessary in order for this issue to be exploitable and it cannot be triggered through web content.

References